I was Googling for an old Banditry post yesterday, as part of a discussion about that new ‘people lie about their drinking’ study. Eventually I found it, only to discover that I’d linked to a (London) Times article, and that therefore the paywall had ruined the whole thing (curiously, even though the Times now shows unregistered users the headline, lede and first sentence for new articles, it completely screws up on old ones). So I more or less gave up on the post [*].

While Googling, I was rather surprised to discover the amount of content that I’d apparently written about the availability, acquisition and applications of various medicinal substances (link will hopefully die in a few weeks as Google updates itself). I briefly considered the possibility that in a fit of poverty and/or drunkenness I’d decided to set up my own online pharmacy, then remembered that I’m based in the country with some of the tightest controls on prescription drugs in the world so that would be rather silly. Rather, I’d been hacked.

I’ve been blogging for more than a decade now, so this isn’t the first pharmaceutical spam I’ve experienced: but it is the most insidious.

Creepy crawling

The hacked pages are tainted only to Google’s crawler – if you or I or anyone in the world who isn’t Google’s crawler click through to them, then they appear as originally intended, both in the browser and in the source code. So the spam-merchant gets to benefit from my PageRank without doing suspicious things to my traffic stats or making suspicious links appear on my actual site, which has been the giveaway for previous hacks. They also, cleverly, didn’t go for an out-and-out hack of all pages, so if you google for “johnband.org” or search the site for a specific term that isn’t drug-related, then you’ll get the correct result, with no indication that some of the pages (mostly tag pages, category pages, and monthly archives) exist to Google only as pharmaceutical billboards.

Conveniently, Google has a funky-cool Fetch As Google tool, described here by their engineer Matt Cutts, which allows you to see exactly what the Googlebot sees when it crawls any page on your site. Sticking the affected pages into the tool confirmed that Google was still seeing them as pharmaceutically compromised. And that they’d been this way since last July-August.

So, I junked my evening plans and settled in for a night of Fun With WordPress, PHP, MySQL, Unix Permissions And Google. Which is my favourite sort of fun, obviously.

Hope, cruelly dashed

The top Google hit on the pharma hack, from blogger Chris Pearson, was an extremely well-written summary which described an identical problem to mine. “Result!”, I thought. So I followed Chris’s steps, only to discover that absolutely none of them worked. The trouble is, the pharma spammers are cleverer bastards than I’d thought: once the tricks of your trade are readily visible with a quick Google, you’re at a disadvantage. And Chris’s post dates from April 2010. Three years of malware evolution later, although his macro-level points are still worth a read, the actual techniques described were way obsolete.

Bugger.

So I Googled a bit more, mostly finding sites that repeated Chris’s solution, but eventually happening upon a couple of write-ups that were closer to my problem – at least, in the sense that they also found none of the things Chris describes, nor any of the obvious hacks I’ve experienced before like a doctored .htaccess file or dodgy-sounding access permissions, nor any changes to the main WordPress database… at least, none of the changes that anyone has noted online.

The most comprehensive, although perhaps the least comprehensible unless you’re ultra-techie, was a post from Shaun Green from February 2012. Short version: the current version of the hack creates php files with names that sound like they should be real WordPress files, and distributes them throughout your WordPress install but especially in the wp-includes folder so that they’re almost impossible to find and tell apart from real WordPress files without doing extremely nerdy things.

I’m not really a deep-level coder, so following all of Shaun’s steps sounded rather painful. And my install didn’t contain the specific filenames he lists (https.php and class-sftp.php), so I would have had to literally retrace his steps rather than just following his conclusions.

Instead, I went for a slightly lower-tech option. Everything in the wp-includes folder is a standard WordPress file, which shouldn’t have changed since installation. The same is true for everything in the wp-admin folder, and for everything in the WordPress root folder except for wp-config.php (which I’d already checked to make sure it wasn’t compromised). So I downloaded a vanilla version of WordPress 3.5.1, deleted everything from my install except for the wp-content folder (where themes, plugins and pictures are stored) and wp-config.php, and then copied the untainted files across.

One quick check on Fetch As Google later and – hurrah! – the pharmaceuticals had all disappeared. Now all I need to do is wait for Google to update its cache, and everything should be back to normal.

Gone forever?

While the problem was solved in the short term, it clearly wasn’t solved in the long term: I’d started with an uncorrupted WP installation, and someone had managed to corrupt it. So – after doing the basic password changing things, obviously – I installed Wordfence and Better WP Security. If you host your own WordPress blog (anything that isn’t on wordpress.com), then so should you. Wordfence is the equivalent of an antivirus program for your WordPress install; Better WP Security automates a whole bunch of handy lockdown and obfuscation tricks. Wordfence threw up a few vaguely suspicious files associated with some of the themes that were installed, so I deleted them; everything was then fine.

I’ve also set up Google Alerts that notify me if any new content appears on johnband.org containing various spammy keywords (the usual suspects), which obviously won’t be much use until the current spam-buggered content is removed, but will then allow me to kill any future infections before they’ve completely ruined my search results. I’ll update this post in the event that anything else occurs. If I remember, I’ll update it in a couple of months if nothing else has occurred, since zero is sometimes a helpful data point.

TL/DR: Was quite painful, could have been much worse. If this happens to you I definitely recommend the “for every folder which shouldn’t have changed since WP was installed, delete the folder and reinstall” approach, although do check the database and fix any issues there first. And set up the security things even if this hasn’t happened to you yet, because it probably will.

[*] Short version of post I was going to write: epidemological studies into alcohol-related harm are also based on self-reported consumption, so while it’s likely that everyone drinks more than they say, it’s also likely that alcohol is correspondingly less bad for you than those studies have shown, by about the same margin – unless we can come up with valid reasons why people would underestimate in one sort of study but not the other. Also, News Corporation are still unimaginably bad at digital strategy.

Share this:

Answer: I went to India and spent a great deal of time buggering about with smartphones. And then used that as background material for writing a guide to mobile phone travel in India. The guide isn’t quite finished yet, but I’ve written an article about some of the more bureaucratic bits for Smart Phone Travel.

I also went to an amazing wedding, and enjoyed the coldest temperatures the northern hill city of Dehradun has seen since Independence. Which was, well, cold. Had great familial fun in Mumbai, and great touristy fun in Pondicherry and Chennai. Indian Railways’ day train from Pondicherry to Chennai was surprisingly good (and had a power socket for my mobile phone, amazingly and relevantly to the context of the post).

For your information, in all known dialects of English, the phrase ‘snowman’ refers to a figure of a man which is made from snow (something like a statue, sculpture or perhaps golem), rather than a man who delivers snow.

I understand there is room for confusion here, when considering examples such as ‘milkman’, ‘postman’ and pizza boy’. However, ‘snowman’ is very much in the style of ‘wicker man’ (which is not a term for a gentleman who delivers baskets) or ‘iron man’ (which is not a term for either a gentleman who delivers ferrous metals, or a gentleman who works in a laundry).

Before seeking to write a song that seeks to summarise the Anglophone world’s Christmas traditions, one might have thought you would have done the most basic research into what these traditions actually were. I can promise you that none of them involve a snow delivery gentleman “bringing the snow”.

I look forward to this error being corrected in future releases of your popular chart hit.

The text below is the output of my phone’s AI autocomplete app (SwiftKey), based on its knowledge of the things I say and do. My only interaction was to choose between the three suggestions it offered.

I have been made to the park. I am not going anywhere, and I will not receive the item is faulty, but the most important things. The only way I could have a good idea. The problem isn’t with the loan companies, who is a good film, but the subway. I am a real Zeus, and I am not sure what to expect.

The problem is that it is not a good idea. The only thing I have been a bit of fun. I have been a while, but I can confirm that you can get round to the zoo tomorrow, zoo tomorrow. And I know that analgesics, and I am not sure what to expect. I have a glass of wine. I have a glass of wine. The only way I could have a great day and the Machine, but it is. It has an appointment. The quality is the most of my own.

We have to do it. I have a glass of wine.. I don’t vividly the best. If I identified and then I will have the same. Federalism the best. The only problem is the first place to find a job, but the best way of organizing emails into the address below and click the Help section for the next few days ago.

It was a bit of a fine example of the most important thing. But it was a very long time to get the latest version, and the Democrats are total pansies who are not responsible for any reason. I have a glass of wine.

The quality of life and I am not sure what to expect. I don’t think it’s a good time to do it. It is a bit of a new member. I don’t vividly recall his own words. The problem isn’t a problem with your friends, but I guess the queen plays by her own rules.

K is technically right here at the moment. The quality is not a good day and night and then the next day or night. The only way to get a quote from you soon as possible to make a decision on the phone and the other side of things to come and see if you are looking for a few weeks, but it doesn’t matter how much I love you so that.

I have a glass of wine.

Slightly worried that in the reasonably near future, my phone will replace me.

was created by a woman (Henry VIII’s Church rejected the authority of the Pope, but remained Catholic in doctrine; it was Elizabeth I who turned it into a solidly Protestant church after Mary I’s attempt at Catholic, erm, revivalism);

is headed by a woman (Liz’s namesake, defender of the faith);

had a massive “yes” vote to the ordination of female priests from both the House of Bishops (0% female, 94% ‘yes’) and the mixed-sex House of Clergy (29% female, 77% ‘yes’);

saw the vote defeated for failing to achieve a two-thirds majority in the mixed-sex, non-ordained House of Laity, made up of democratically elected representatives of C of E churchgoers (46% female, 64% ‘yes’).

The all-male boys-club dinosaurs voted almost solely for equality, the still-male dominated clergy were overwhelmingly for equality, and the mixed-sex representatives of the C of E congregation (which is itself about 65% female) were the most bigoted of the lot.In other words, if the C of E wasn’t so keen to give regular churchgoers a say, female bishops would totally be a thing already, and the massive blow to both PR and moral authority of voting for discredited Pauline nonsense wouldn’t have happened.

I was going to add, I don’t know why the female-dominated C of E congregation choose to elect representatives (both male and female) who hate women. But on reflection, I’m pretty sure it’s that, although many women whose views mirror those of Ann Widdecombe in rejecting the C of E’s modest levels of inclusivity and egalitarianism have opted to join the Roman Catholic Church (which, obviously, has none of either), some have stayed with what they know. Sadly, yesterday’s vote is likely to keep them on board for longer.

This is technically true (random quote from blog commenter, but one which reflects a lot of educated-people-who-know-about-stats opinion on the Silver model):

Silver’s analysis (which I happen to accept) won’t be contradicted (or proven) in any way by tomorrow’s outcome. Either result is accounted for in the model. People seem not to understand that.

However, it’s a silly thing to say. If you craft a model in such a way that you are publicly on record as saying that one candidate in a two-horse race has a 90% chance of winning, and he loses, then you will find it very hard to avoid looking like a tit, even if your stats were absolutely correct and the result is just a one-in-ten piece of bad luck for your model.

The only way in which you could plausibly avoid the tail-risk of looking like a tit would be to focus a sizeable part of your commentary on that tail-risk, why your model shouldn’t be taken as an out-and-out prediction, and why you might be wrong, rather than focusing on the reasons that you think are underlying the 90%-likely outcome.

Mr Silver has gone very strongly for the “focusing on the underlying reasons” option, presumably because he’d much take a 90% chance of being The Awesome Pollster Who Correctly Tipped The Election with a 10% chance of being That Tit, than a 100% chance of being That Boring Wonk Who Explained Why We Shouldn’t Pay Too Much Attention To His Numbers.

Which is entirely rational, given the risk/reward matrix he faces, but does mean that anyone who suggests we should refrain from calling him That Tit if the 10% scenario comes through is missing the point.

(tenuously relatedly, I’m delighted to see Ezra Klein dredging up this fine work of speculative psephology and poll-bludgeoning)

Share this:

How on earth did it get to be October? The temperature’s 33C, the birds are singing, and the massive quantities of work that I have to get finished within the next fortnight are absolutely terrifying [*].

Since all the headline news seems to involve either tedious rehashes of politics (in brief: no presidential debate or party conference speech has ever made a blind bit of difference to anything; they’re like pre-season friendlies for people who follow politics instead of sport) or horrible things happening to women and girls either now or in the past (in brief: it’s impressive how much difference both changing societal attitudes and modern surveillance techniques have made to abusers getting caught), I haven’t had a whole lot to say, beyond one-liners on Twitter.

The global economy? Well, that hasn’t really changed in 12 months. Austerity in Europe failed some more, as everyone who isn’t a raving far-right ideologue predicted. The half-austere USA did slightly better, as, etc. Australia continues to outperform by virtue of being a rock of gold and coal the size of the USA with the population of Florida. Meaningless statements are being made by the ECB, which might be of vague importance if you’re a day-trader or a Greek, but certainly not otherwise.

Assorted Middle East wars: the only one which really matters (unless you live there, in which case there doesn’t seem to be a huge difference in survival rates between the ones where we toppled evil dictators and the ones where we didn’t) is Israel/Iran. It seems unlikely that Benji will do anything before the US election. That’s The One To Watch – a significant Israel/Iran campaign would be the most significant geopolitical thing since at least Iraq 2003, if not the fall of the USSR.

Off to Oktoberfest in Brisbane in a week and a bit, by which point the news still won’t have changed, but hopefully I’ll have a bit less of a workpile. Meanwhile, roger and out.

[*] an interesting difference between being freelance and employed is the extent to which employed people love the weekends, whilst as a freelancer I dread them. “NO, IT’S FRIDAY ALREADY. THIS CANNOT BE!”.

In the context of the neo-puritan trial of Simon Walsh (description of case NSFW although text-only) for possessing ‘extreme pornography’ – in UK law, the simple ownership of photos of consenting adults doing kinky things to each other that could cause physical damage – civil liberties defender David Allen Green made the point that “the trial is about how the State can use the criminal law to regulate images of acts which are perfectly legal to perform”. Political philosopher Chris Bertram countered by making the (fair) point that “that’s already the case re ppl over the age of consent but under 18. So nothing new in that respect”.

I suggested to Chris that this nonetheless wasn’t a strong argument in the extreme pornography laws’ favour, because the laws he cites are also indefensible. He strongly disagreed with my claim that the laws were indefensible. We agreed to disagree on Twitter, which is a terrible location for such an argument – but I thought I’d set out here why I think the laws that universally criminalise the possession of indecent images of people over the age of consent but under the age of 18 are a terrible idea [fn1].

As far as I can see, there are three reasons why society has an interest in minimising the existence of indecent images of 16-17 year olds, while accepting that it is completely legitimate for them to have sex [fn2]. These three reasons need to be balanced against the starting point that it’s both illogical and cruel to ban people who we accept should be allowed to see each other naked and have sex with each other from owning naked/sexual pictures of each other [fn3].

To prevent people under the age of majority from being exploited by creepy pornographers who offer them money for acts and pictures they will subsequently regret and will never be able to take back, despite never having had the legal capability to enter into such a contract.

To prevent third parties or partners from photographing people without their consent (whether or not they distribute the pictures in principle, although the latter is obviously worse).

To prevent incidents where photographs taken by the person or their partner get into the public domain (generally vengeful exes or boastful idiots).

Reason one is hard to argue with. There’s no reason why the capacity to give sexual consent should be equal in law with the capacity to enter a binding contract; prostitution involving under-18s is forbidden in most jurisdictions with harsh punishments applied to clients and pimps for exactly the same reason [fn4]. But it’s already largely solved: if a pornographer pays someone under 18 to have a sexual encounter for money, then they are guilty of child prostitution offences and everyone involved in the process gets jailed for a long time. So we’re left here with the problem of pornographers enticing 16-18s to pose for indecent pictures that don’t come within the scope of the existing prostitution law. Given the legal definitions we already have for the purposes of both obscenity and prostitution law, this would not be at all difficult to draft, with punishments just as severe as currently apply. So that part of the problem can easily solved without any conflict.

For reason two, I’m struggling to see why this point is any different whether you’re 16 or 25, or 33, or 100. If some scumbag takes indecent photos of you without your consent, that’s vile, and if they publish them, they’re an appalling person and you’ve been violated. The fact that a 16-year-old can’t consent in the sense being discussed is irrelevant, since nobody’s consenting to anything anyway. So whatever the appropriate legal solution to this problem may be, it isn’t the one at hand.

Reason three is superficially more tempting. Anyone who actually distributes the pictures in this context would be caught by the same law as the people in reason two, but there is a judgement-related argument that can be raised.

Kids are, in general, both more trusting and more likely to do stupid things than adults, and teenagers mostly go out with each other. So someone aged 16-17 is more likely to treat someone who is in fact a reason-two scumbag as a trusted partner; they are also more likely to be going out with someone who is pathetic enough to publish their private photos if things go awry. At this point, protecting kids from increased greater risk to themselves surely overrides your general right to send your lover a photo for them to wank off to when you’re away, right?

Well, no.

Criminalising things has a deterrent effect, sure, and that deterrent effect varies depending on the rationality of both the crime and the criminal. Famously, the death penalty is generally accepted to have little-to-no impact on murder rates, because very few murders are based on a rational calculation of the penalty if caught.

Murders tend to involve people with poor impulse control (whether generally or due to temporary factors) in situations that involve an intense emotional response. In these cases, deterrence is largely irrelevant: people do not act based on rational calculations. On the other hand, when talking about cases such as deliberate corporate fraud, stringent detection and heavy penalties do indeed have a strong deterrent effect, because they involve rational people making rational decisions.

RHETORICAL QUESTION ALERT: do mid-teenage relationships tend to fall into the category of “rational people making rational decisions”, or “people with poor impulse control in situations that involve an intense emotional response”?

Quite. So rather than creating a situation where kids are prevented from doing stupid things, we end up with a situation where kids continue to do stupid things to pretty much the same extent, but end up being arrested and gaining criminal records for them [fn5]. It would be a bit of a struggle to suggest that this makes anyone better off.

******

[1] Yes, it’s because I want to defend nonces and WON’T THINK OF THE CHILDREN. Discussions of this kind of law tend to into that kind of territory; if that’s your bag, then this blog – along with any source of debate more sophisticated than the comments section of the Sun – is not for you. This is obviously and absolutely not aimed at Chris.

[2] Let’s take the second point as read for the purposes of this discussion; it’s the case both where I live and where I’m from. I know some Australian states and much of the USA set the age of consent at 18, which strikes me as daft for many of the same reasons discussed in this post, but at least consistent.

[3] The UK law in question has exemptions for people who are married or living together and de-facto married, but most people who are aged 16-17 and in fairly serious relationships do not fall within these exemptions.

[4] Prostitutes aged under 18 are also still arrested and charged in many jurisdictions, despite being the victims; the lawmakers, police and prosecutors responsible for this decision should be horsewhipped until they are dead.

[5] Or the law is never enforced, in which case what exactly is it supposed to be for again? If you want to send a message, use SMS not the courts.

The first jetliner was Boeing’s square-windowed 707; it was grounded after a few months following tragic incidents which wiped out a fair proportion of elite Americans. The money flowing to De Havilland to create a civilian airliner progamme to promote their non-murderous plane trumped nationalist concerns.

Despite the fact that the 707 is a finer airliner than the Comet, nobody trusts it, and even Pan-Am and TWA are acquiring Comets. The fact that nobody had really understood pressurisation before Boeing’s painful lesson ensures that De Havilland’s planes became the narrow-body airliner to beat all airliners.

Fantasy world: #2: the first supersonic jetliner is Boeing’s supersonic 7NN7. While it made a bit of noise, the need to beat the Comet – because, despite the technical superiority of the Comet, the sheer cash of the US government and the fact that we all need to make up for America’s humiliation has ensured that nonsense about ‘supersonic booms’ was defeated by the allegiances of the civilised world.

With its Rolls-Royce/Pratt & Whitney engines, it has been allowed to fly supersonic over all territories outside of the USSR. New York-London-Singapore-Sydney-Los Angeles-New York on Pan-Am was do-able in under a day. Fashionistas signed up, in the hope it would make them sexy and youthful. The conception that transatlantic flight takes more than 4 hours became ludicrous, like the concept of taking four days in a flying boat before WWII,